«But as the value of what people do online has increased, the Internet itself has become more complex, vulnerable, and dangerous. Online identity theft, fraud, and privacy concerns are on the rise, stemming from increasingly sophisticated practices such as “phishing,” “spear-phishing,” and pharming. Keeping track of multiple accounts, passwords and authentication methods is difficult and frustrating for users. “Password fatigue” results in insecure practices such as re-using the same account names and passwords at many sites.»

Plus loin on peut lire:

«The consequences of these problems are severe and growing. The number of “phishing” attacks and sites has skyrocketed. There are reports that online banking activity is declining. Recent regulatory guidance on authentication in online banking reports that “Account fraud and identity theft are frequently the result of single-factor (e.g., ID/password) authentication exploitation.” (référant ici au Federal Financial Institutions Examination Council, Authentication in an Internet Banking Environment, October 2005) Consumer trust of the Internet is low and ever-dropping (référant cette fois au National Consumers League, A Call for Action: Report from the NCL Anti-Phishing Retreat, March 2006) Clearly, the status quo is no longer a viable option.»

«More troubling is the close connection with Microsoft as the release and accompanying press coverage at times feels like an infomercial for the software giant. The Ontario Privacy Commissioner’s Office has worked with Microsoft in the past, however, this intiative goes to great lengths to extoll not only the Seven Laws, but also the company itself. The White Paper devotes nearly three pages to Microsoft’s much-criticized Passport program and its CardSpace identity management feature that will be included in Vista, its forthcoming operating system upgrade.

The Office’s seemingly unqualified embrace of Microsoft strikes me as a mistake for several reasons. First, there are other companies developing similar solutions and they should be granted equal airtime. Second, the CardSpace feature includes a significant DRM component. When combined with the Vista licensing terms that prohibit circumvention, users are entrusting both their privacy and total computer experience to Microsoft (see Wendy Seltzer’s review of the implications of the Vista terms and how that trust is being repaid). Third, while it is good to see privacy commissioner offices in Canada working with the business community, they must take care to maintain sufficient distance to be advocates for privacy, not for particular companies and their products. There is a fine line between co-operating and becoming co-opted and there is reason to believe that this initiative falls on the wrong side of the line.»

Comments

I appreciate you tackling these problems in such depth. But I urge you to think a bit more deeply about what I’m proposing. Establishing the principle that there must be pluralism, and that the user needs to be in control, and understand what is happening with respect to their identity and information, are really key.

Please spend some time contemplating some of the alternate futures, and who might support them.

Go through my web site over the last couple of years as a body of work and I hope I can garner your support.

Thanks Kim for your answer; it’s always a pleasure to generate interaction with a post, particularly when the answer come from the person directly in charge with the project.

I of course read The 7 laws paper before writing my post and the notion of pluralism you mentioned in your answer is not particularly obvious to identify in it. The principle 5 needs (for an external person as me) some precision and the fact that MSFT seems to be the only company involved in this project is quite dubious.

Concerning the 7 laws, I gave very quick comment on each of them in my post. To make a link with your comment, it’s not because consent of people is required that their rights and consideration would be safe. In fact, usual will (contract) is very often a poor solution considering the length of clauses, lack of plain english, illegibility, etc. (see The Colour of eConsent)

At least, I’m always surprise by the fact that a serious study as this one is not based on solid statistics on identity theft and others pleas. I’m interested by cyberspace for 15 years now and we had several opportunities to appreciate “fake fears” (EDI or Die, Y2K, etc.) and “fake hopes” (B2B in 2001). So, sorry for suspicion.

The good news is I’m pretty sure we want the same thing: more security and more trust in eBusiness (even if I’m not the sure lack of trust is so obvious: ecompanies never do so much business). But the solutions I mentioned are not the same: «Working Together to Prevent Identity Theft», proposed several of them; education is an other too. With respect, both of them seem to me more urgent as an universal technical tool you propose. One more time, it’s a external perspective on a pending project and I hope to be wrong.

Kim,
I have to say, notwithstanding the excellent job you have done, I share VG’s comments. I would add that we are in an age where the security paranoia seems to be a reason for numerous infrigements on fundamental rights and an ever better reason, for some peoples/corporations to make a bucks.